| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/29/2029 |
| Caveat | When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | Corsec Security, Inc. |
flowchart LR
%% Deterministic review-risk graph for CorSSL
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Status Output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for CorSSL
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Status Output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3,C5,C6 clueLow;Corsec Security, Inc. CorSSL™ Software Version: 1.1.1s.006 FIPS Security Level: 1 Document Version: 0.1 Prepared by: Corsec Security, Inc.
Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 www.corsec.com
Abstract This is a non-proprietary Cryptographic Module Security Policy for CorSSL™ (software version: 1.1.1s.006) from Corsec Security, Inc. (Corsec). This Security Policy describes how CorSSL meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the Cryptographic Module Validation Program (CMVP) website, which is maintained by the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). This document also describes how to run the module in a secure Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module. CorSSL is referred to in this document as “CorSSL” or “module”. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:
| # | Section | Page |
|---|
| Item | Page |
|---|---|
| Table 1 – Security Levels | 5 |
| Table 2 – Tested Operational Environments | 7 |
| Table 3 – Approved Algorithms | 8 |
| Table 4 – Non-Approved Algorithms Allowed in the Approved Mode of Operation | 12 |
| Table 5 – Non-Approved Algorithms Not Allowed in the Approved Mode of Operation | 12 |
| Table 6 – Ports and Interfaces | 16 |
| Table 7 – Roles, Service Commands, Input and Output | 17 |
| Table 8 – Approved Services | 19 |
| Table 9 – Non-Approved Services | 20 |
| Table 10 – SSPs | 26 |
| Table 11 – Non-Deterministic Random Number Generation Specification | 29 |
| Table 12 – Acronyms and Abbreviations | 36 |
| Figure 1 – GPC Block Diagram | 14 |
| Figure 2 – Module Block Diagram (with Cryptographic Boundary) | 15 |
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-Invasive Security N/A
API
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
ISO/IEC 24579 Section 6. FIPS 140-3 Section Title Security Level [Number Below]
9 Sensitive Security Parameter Management 1
10 Self-Tests 1
11 Life-Cycle Assurance 1
12 Mitigation of Other Attacks N/A
The module has an overall security level of 1. CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
2. Cryptographic Module Specification CorSSL is a software module with a multi-chip standalone embodiment. The module is designed to operate within a modifiable operational environment. Additionally, the module is designed to utilize the AES-NI 5 extended instruction set when available by the host platform’s CPU for processor algorithm acceleration (PAA) of its AES implementation.
The module was tested and found to be compliant with FIPS 140-3 requirements on the operational environments (OE) listed in Table 2. Table 2
1 Debian 9 Dell PowerEdge R440 Intel® Xeon Silver 4214R With (AES-NI)
2 Debian 9 Dell PowerEdge R440 Intel® Xeon Silver 4214R Without
There are no vendor-affirmed operational environments claimed. Module operators may perform post-validation porting of the module and affirm the module’s continued validation compliance. The cryptographic module will remain compliant with the FIPS 140-3 validation on any general-purpose platform/processor that supports the specified operating system listed on the validation entry, or another compatible operating system. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported to an operational environment not listed on the validation certificate.
Validation certificates for each Approved security function are listed in Table 3. Note that there are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any Approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in Table 3 are used by an Approved service of the module.
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
Table 3
6 This table includes vendor-affirmed algorithms that are approved but CAVP testing is not yet available.
ECB
GCM
XTS
TLS
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate6 Standard Key Strengths A4979 CVL KDF (TLS v1.3) - Key derivation RFC 8446 No part of the TLS v1.3 protocol, other than the KDF, has been tested by the CAVP and CMVP. A4978 DRBG26 Counter-based 128, 192, 256-bit AES-CTR Deterministic random bit NIST SP 800-90Arev1 generation A4978 DSA27 KeyGen 2048/224, 2048/256, Key pair generation FIPS PUB 186-4 3072/256 PQGGen 2048/224, 2048/256, Domain parameter generation 3072/256 (SHA2-224, SHA2256, SHA2-384, SHA2-512) PQGVer 2048/224, 2048/256, Domain parameter verification 3072/256 (SHA2-224, SHA2256, SHA2-384, SHA2-512) SigGen 2048/224, 2048/256, Digital signature generation 3072/256 (SHA2-224, SHA2256, SHA2-384, SHA2-512) SigVer 2048/224, 2048/256, Digital signature verification 3072/256 (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2512) A4978 ECDSA28 KeyGen B-233, B-283, B-409, B-571, Key pair generation FIPS PUB 186-4 K-233, K-283, K-409, K-571, Secret generation mode: P-224, P-256, P-384, P-521 Testing candidates KeyVer B-163, B-233, B-283, B-409, Public key validation B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 SigGen B-233, B-283, B-409, B-571, Digital signature generation K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 (SHA2-224, SHA2-256, SHA2384, SHA2-512) SigVer B-163, B-233, B-283, B-409, Digital signature verification B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 (SHA-1, SHA2-224, SHA2-256, SHA2384, SHA2-512)
DSA
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate6 Standard Key Strengths A4978 HMAC SHA-1, SHA2-224, SHA2- 112 (minimum) Message authentication FIPS PUB 198-1 256, SHA2-384, SHA2512, SHA3-224, SHA3256, SHA3-384, SHA3A4978 KAS-ECC-SSC29 ephemeralUnified B-233, B-283, B-409, B-571, Shared secret computation NIST SP 800-56Arev3 K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 A4978 KAS-FFC-SSC30 dhEphem 2048/224 (FB), 2048/256 NIST SP 800-56Arev3 (FC) A4978 KDA31 HKDF SHA2-224, SHA2-256, SHA2- Key derivation NIST SP 800-56Crev2 384, SHA2-512, SHA2512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3384, SHA3-512) A4978 KTS32 AES-CCM 128, 192, 256 Key wrap/unwrap (authenticated NIST SP 800-38C encryption)33 Key establishment methodology provides between 128 and 256 bits of encryption strength A4978 KTS AES-GCM 128, 192, 256 Key wrap/unwrap (authenticated NIST SP 800-38D encryption)34 Key establishment methodology provides between 128 and 256 bits of encryption strength A4978 KTS AES-KW, AES-KWP 128, 192, 256 Key wrap/unwrap NIST SP 800-38F Key establishment methodology provides between 128 and 256 bits of encryption strength A4978 KTS AES-CMAC 128, 192, 256 Key wrap/unwrap (encryption FIPS PUB 197 with message authentication)35 NIST SP 800-38B Key establishment methodology provides between 128 and 256 bits of encryption strength A4978 KTS AES-ECB with HMAC 128, 192, 256 Key wrap/unwrap (encryption FIPS PUB 197 with message authentication)36 FIPS PUB 198-1 Key establishment methodology provides between 128 and 256 bits of encryption strength
29 KAS-ECC-SSC
KAS-SSC
33 Per FIPS 140-3 Implementation Guidance D.G, AES-CCM is an Approved key transport technique.
34 Per FIPS 140-3 Implementation Guidance D.G, AES-GCM is an Approved key transport technique.
Per FIPS 140-3 Implementation Guidance D.G, AES with CMAC is an Approved key transport technique.
36 Per FIPS 140-3 Implementation Guidance D.G, AES (in any Approved mode) with HMAC is an Approved key transport technique.
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
CAVP Algorithm and Mode / Method Description / Key Size(s) / Use / Function Certificate6 Standard Key Strengths A4978 PBKDF237 Section 5.4, option 1a SHA-1, SHA2-224, SHA2-256, Password-based key derivation NIST SP 800-132 SHA2-384, SHA2-512, SHA3224, SHA3-256, SHA3-384, SHA3-512 A4978 RSA38 Key generation mode: 2048, 3072, 4096 Key pair generation FIPS PUB 186-4, B.3.3 Appendix B.3.3 A4978 RSA X9.31 2048, 3072, 4096 (SHA2-256, Digital signature generation FIPS PUB 186-4 SHA2-384, SHA2-512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-256, SHA2384, SHA2-512) PKCS#1 v1.5 2048, 3072, 4096 (SHA2-224, Digital signature generation SHA2-256, SHA2-384, SHA2512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) PSS39 2048, 3072, 4096 (SHA2-224, Digital signature generation SHA2-256, SHA2-384, SHA2512) 1024, 2048, 3072, 4096 Digital signature verification (SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2-512) A4978 SHA-3 SHA3-224, SHA3-256, - Message digest FIPS PUB 202 SHA3-384, SHA3-512, SHAKE40-128, SHAKE-256 A4978 SHS41 SHA-1, SHA2-224, SHA2- - Message digest FIPS PUB 180-4 256, SHA2-384, SHA2A4978 Triple-DES CBC, CFB1, CFB8, CFB64, 168 Decryption NIST SP 800-67 ECB, OFB NIST SP 800-38A A4978 Triple-DES CMAC 112, 168 MAC verification NIST SP 800-67 NIST SP 800-38B The vendor affirms the following cryptographic security methods:
SHAKE
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
seed is an unmodified output from the DRBG. The cryptographic module invokes a GET command to obtain entropy for random number generation (the module requests 256 bits of entropy from the calling application per request), and then passively receives entropy from the calling application while having no knowledge of the entropy source and exercising no control over the amount or the quality of the obtained entropy. The calling application and its entropy sources are located within the operational environment inside the module’s physical perimeter but outside the cryptographic boundary. Thus, there is no assurance of the minimum strength of the generated keys. The module implements the non-Approved but allowed algorithms shown in Table 4 below. Table 4
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
Algorithm Use / Function DSA (non-compliant) Digital signature generation ECDSA (non-compliant) Digital signature generation RSA (non-compliant when used with SHA-1 outside Digital signature generation the TLS protocol) DSA (non-compliant with key sizes below the Key pair generation, digital signature verification minimums Approved for Approved mode) ECDH (non-compliant with curves P-192, K-163, B- Key agreement 163, and non-NIST curves) ECDSA (non-compliant with curves P-192, K-163, B- Key pair generation, digital signature verification 163, and non-NIST curves) EdDSA44 Key pair generation, digital signature generation, digital signature verification IDEA Encryption/decryption MD2, MD4, MD5 Message digest Poly1305 Message authentication code RC245, RC4, RC5 Encryption/decryption RIPEMD Message digest RMD160 Message digest RSA (non-compliant with non-approved/untested key Key pair generation; digital signature generation; digital sizes, and functions) signature verification; key transport SEED Encryption/decryption SM2, SM3 Message digest SM4 Encryption/decryption Triple-DES (non-compliant) Encryption; MAC generation; key wrap Whirlpool Message digest
As a software cryptographic module, the module has no physical components. The physical perimeter of the cryptographic module is defined by each host platform on which the module is installed. Figure 1 below illustrates a block diagram of a typical GPC and the module’s physical perimeter. EdDSA
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
Hardware Network DVD RAM Management Interface HDD Clock SCSI/SATA Generator Controller LEDs/LCD CPU Serial I/O Hub Audio Cache PCI/PCIe Slots USB BIOS Power Graphics PCI/PCIe Interface Controller Slots External Power Supply KEY: BIOS
libssl libssl.hmac Calling Application libcrypto libcrypto.hmac KEY: Cryptographic Boundary Physical Perimeter Operating System Data Input Data Output Control Input Control Output CPU Memory Storage Ports Status Output System Calls Host Device Figure 2
The module supports two modes of operation: Approved and non-Approved. The module will be in Approved mode when all pre-operational self-tests have completed successfully, and only Approved services are invoked. Table 3 and Table 4 above list the Approved and allowed algorithms; Table 8 provides descriptions of the Approved services. The module can also alternate service-by-service between Approved and non-Approved modes of operation. The module will switch to the non-Approved mode upon execution of a non-Approved service. The module will switch back to the Approved mode upon execution of an Approved service. Table 5 lists the non-Approved algorithms implemented by the module; Table 9 below lists the services that constitute the non-Approved mode. When following the guidance in this document, CSPs are not shared between Approved and non-Approved services and modes of operation. CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
4. Roles, Services, and Authentication The sections below describe the module’s authorized roles, services, and operator authentication methods.
The module supports a Crypto Officer (CO) that authorized operators can assume. The CO role performs cryptographic initialization or management functions and general security services. The module also supports the following role(s):
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
Role Service Input Output User Verify digital signature API call parameters, key, Status signature, message User Perform key wrap API call parameters, encryption Status, encrypted key key, key User Perform key unwrap API call parameters, decryption Status, decrypted key key, encrypted key User Compute shared secret API call parameters Status, shared secret User Derive SSH keys API call parameters, SSH master Status, SSH keys secret User Derive TLS keys API call parameters, TLS pre- Status, TLS keys master secret User Derive key via HKDF API call parameters Status, key User Derive key via PBKDF2 API call parameters, passphrase Status, key User Generate symmetric digest API call parameters, key, message Status, MAC (CMAC)
The module does not support authentication mechanisms; roles are implicitly selected based on the service invoked. Refer to Table 7 above for a listing of the services associated with each authorized role.
Descriptions of the services available to the authorized roles are provided in Table 8 below. This module is a software library that provides cryptographic functionality to calling applications. As such, the security functions provided via the module’s APIs are considered security services, and the module provides indicators for Approved security services as required by FIPS 140-3 IG 2.4.C. When invoking an API for an offered security service, the calling application provides inputs (keys, key sizes, modes, etc.) that the module combines into a single, internal structure, or “context”, that drives the execution of the cryptographic service. Each security service invocation will determine if the invoked service is an Approved security service. Upon completion of the service, that context is first updated with the results of the service as well as the Approved security service indicator, and then returned to the calling application. To access the indicator value from the context, the calling application must pass the resultant context to the indicator API associated with that security function (note the indicator check must be performed before any context cleanup is performed). The indicator API will return “1” to indicate the usage of an Approved service. Indicators for services providing non-Approved security functions (as well as for services not requiring an indicator) will have a value other than “1”, ensuring that the indicators for Approved services are unambiguous. Additional details on the APIs used for the Approved service indicators are provided in Appendix B below. Please note that the keys and Sensitive Security Parameters (SSPs) listed in the table indicate the type of access required using the following notation:
Service Description Approved Security Function(s) Keys and/or SSPs Roles Access Rights to Keys and/or Indicator SSPs Verify ECDSA Verify an ECDSA ECDSA (Cert. A4978) ECDSA public key User ECDSA public key
Service Description Algorithm(s) Accessed Role Indicator Perform MAC operations Perform message Poly1305, Triple-DES/CMAC User API return value (non-compliant) authentication operations (non-compliant for MAC generation) Perform hash operation (non- Perform hash operation MD2, MD4, MD5, RIPEMD, User API return value compliant) RMD160, SM2, SM3, Whirlpool Perform digital signature Perform digital signature DSA (non-compliant), ECDSA User API return value functions (non-compliant) functions (non-compliant), EdDSA, RSA (non-compliant) Perform key encapsulation Perform key encapsulation RSA (non-compliant) User API return value (non-compliant) functions Perform key un-encapsulation Perform key un-encapsulation RSA (non-compliant) User API return value (non-compliant) functions Perform key wrap (non- Perform key wrap functions Triple-DES/CMAC (non- User API return value compliant) compliant) Perform authenticated Perform authenticated AES-OCB User API return value encryption/decryption (non- encryption/decryption compliant) Perform random number Perform random number ANSI X9.31 RNG (with 128-bit User API return value generation (non-compliant) generation AES core) Perform key pair generation Perform key pair generation DSA (non-compliant), ECDSA User API return value (non-compliant) (non-compliant), EdDSA, RSA (non-compliant) CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
5. Software/Firmware Security All software components within the cryptographic boundary are verified using an Approved integrity technique implemented within the cryptographic module itself. The module implements independent HMAC SHA2-256 digest checks to test the integrity of each library file ; failure of the integrity check on either library file will cause the module to enter a critical error state. The module’s integrity check is performed automatically at module instantiation (i.e., when the module is loaded into memory for execution) without action from the module operator. The CO can initiate the pre-operational tests on demand by re-instantiating the module or issuing the FIPS_selftest() API command. CorSSL is not a standalone application; it is a cryptographic toolkit intended for use in a with a vendor’s solution. The module will be linked to a host application, and the host application will be pre-installed onto a target platform by the vendor or installed onto target platforms by the end-user. The module requires no configuration steps to be performed by application developers or end-users, and no action is required from developers or end-users to initialize the module for operation. The module is designed with a default entry point (DEP) that ensures that the pre-operational tests and conditional CASTs are initiated automatically when the module is loaded. CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
6. Operational Environment CorSSL comprises a software cryptographic library that executes in a modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environments provide the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators. Please refer to section 2.1 of this document for a list/description of the applicable operational environments. CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
7. Physical Security The cryptographic module is a software module and does not include physical security mechanisms. Therefore, per ISO/IEC 19790:2012(E) section 7.7.1, requirements for physical security are not applicable. CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
8. Non-Invasive Security This section is not applicable. There are currently no approved non-invasive mitigation techniques referenced in ISO/IEC 19790:2021 Annex F. CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
9. Sensitive Security Parameter Management
The module supports the keys and other SSPs listed in Table 10. Note that all SSP import and export is electronic and is performed within the Tested OE’s Physical Perimeter (TOEPP). Table 10
Key/SSP Strength Security Function Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type and Cert. Number Keys DSA private key 112 or 128 bits DSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature (CSP) (Cert. A4978) Approved DRBG via API parameter stored by the Remove power generation module Exported in plaintext via API parameter DSA public key 112 or 128 bits DSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature (PSP) (Cert. A4978) approved DRBG via API parameter stored by the Remove power verification module Exported in plaintext via API parameter ECDSA private Between 112 ECDSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature key and 256 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power generation (CSP) module Exported in plaintext via API parameter ECDSA public Between 112 ECDSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature key and 256 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power verification (PSP) module Exported in plaintext via API parameter RSA private key Between 112 RSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature (CSP) and 150 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power generation module KTS Exported in plaintext (Cert. A4978) via API parameter RSA public key Between 80 and RSA Generated via Imported in plaintext - Not persistently Unload module; Digital signature (PSP) 150 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power verification module KTS Exported in plaintext (Cert. A4978) via API parameter DH private 112 bits KAS-SSC-FFC Generated via Imported in plaintext - Not persistently Unload module; DH shared component (Cert. A4978) approved DRBG via API parameter stored by the Remove power secret (CSP) module computation Exported in plaintext via API parameter DH public 112 bits KAS-SSC-FFC Generated via Imported in plaintext - Not persistently Unload module; DH shared component (Cert. A4978) approved DRBG via API parameter stored by the Remove power secret (PSP) module computation Exported in plaintext via API parameter ECDH private Between 112 KAS-SSC-ECC Generated via Imported in plaintext - Not persistently Unload module; ECDH shared component and 256 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power secret (CSP) module computation Exported in plaintext via API parameter ECDH public Between 112 KAS-SSC-ECC Generated via Imported in plaintext - Not persistently Unload module; ECDH shared component and 256 bits (Cert. A4978) approved DRBG via API parameter stored by the Remove power secret (PSP) module computation Exported in plaintext via API parameter Other SSPs Passphrase - PBKDF - Imported in plaintext - Not persistently Unload module; Input to PBKDF (PSP) (Cert. A4978) via API parameter stored by the Remove power for key module derivation Never exported AES GCM IV - AES (GCM mode) Generated in - - Not persistently Unload module; Initialization (CSP) (Cert. A4978) compliance with stored by the Remove power vector for AES the provisions of a module GCM peer-to-peer industry standard protocol CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
Key/SSP Strength Security Function Generation Import / Export Establishment Storage Zeroization Use & Related Name/Type and Cert. Number Keys SSH shared - KDF (SSH) - Imported in plaintext Established via Not persistently Unload module; Derivation of secret (Cert. A4978) via API parameter ECC/FFC shared stored by the Remove power the AES key and (CSP) secret module HMAC key used Exported in plaintext computation for securing SSH via API parameter connections TLS pre-master - KDF (TLS 1.0/1.1) - Imported in plaintext Established via Not persistently Unload module; Derivation of secret (Cert. A4978) via API parameter ECC/FFC shared stored by the Remove power the TLS master (CSP) secret module secret KDF (TLS 1.2) Exported in plaintext computation (Cert. A4978) via API parameter KDF (TLS 1.3) (Cert. A4979) TLS master - KDF (TLS 1.0/1.1) - - Established via Not persistently Unload module; Derivation of secret (Cert. A4978) TLS KDF (using stored by the Remove power the AES/AES(CSP) imported TLS module GCM key and KDF (TLS 1.2) pre-master HMAC key used (Cert. A4978) secret) for securing TLS connections KDF (TLS 1.3) (Cert. A4979) DRBG entropy - DRBG - Imported in plaintext - Not persistently Unload module; Entropy material input (Cert. A4978) via API parameter47; stored by the Remove power for DRBG (CSP) module Never exported DRBG seed - DRBG Generated using - - Not persistently Unload module; Seeding material (CSP) (Cert. A4978) nonce along with stored by the Remove power for DRBG DRBG entropy module input DRBG ‘V’ value - DRBG Generated - - Not persistently Unload module; State values for (CSP) (Cert. A4978) stored by the Remove power DRBG module DRBG ‘Key’ - DRBG Generated - - Not persistently Unload module; State values for value (Cert. A4978) stored by the Remove power DRBG (CSP) module
The module implements the following Approved DRBG:
There is no mechanism within the module’s cryptographic boundary for the persistent storage of SSPs. The module stores DRBG state values for the lifetime of the DRBG instance. The module uses SSPs passed in on the stack by the calling application and does not store these SSPs beyond the lifetime of the API call.
Maintenance, including protection and zeroization, of any keys and CSPs that exist outside the module’s cryptographic boundary are the responsibility of the end-user. For the zeroization of keys in volatile memory, module operators can unload the module from memory or reboot/power-cycle the host device.
Table 11 below specifies the module’s entropy sources. Table 11
10. Self-Tests Both pre-operational and conditional self-tests are performed by the module. Pre-operational tests are performed between the time the cryptographic module is instantiated and before the module transitions to the operational state. Conditional self-tests are performed by the module during module operation when certain conditions exist. The following sections list the self-tests performed by the module, their expected error status, and the error resolutions.
The module performs the following pre-operational self-test(s):
The module performs the following conditional self-tests:
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
To ensure all CASTs are performed prior to the first operational use of the associated algorithm, all CASTs are performed during the module’s initial power-up sequence. The SHA and HMAC KATs are performed prior to the pre-operational software integrity test; all other CASTs are executed after the successful completion of the software integrity test.
The module reaches the critical error state when any self-test fails. Upon test failure, the module will set an internal flag and enter a critical error state. In this state, the module will no longer perform cryptographic services or output data over the data output interfaces. For any subsequent request for cryptographic services, the module will return a failure indicator. To recover, the module must be re-instantiated by the calling application. If the pre-operational self-tests complete successfully, then the module can resume normal operations. If the module continues to experience self-test failures after reinitializing, then the module will not be able to resume normal operations, and the CO should contact Corsec Security, Inc. for assistance.
CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
11. Life-Cycle Assurance The sections below describe how to ensure the module is operating in its validated configuration, including the following:
The module is distributed as a package containing the binaries and HMAC digest files that the Crypto Officer is to install on a platform specified in section 2.1 or one where portability is maintained.
This module is designed to support third-party vendor applications, and these applications are the sole consumers of the cryptographic services provided by the module. No end-user action is required to initialize the module for operation; the calling application performs any actions required to initialize the module. The pre-operational integrity test and cryptographic algorithm self-tests are performed automatically via a default entry point (DEP) when the module is loaded for execution, without any specific action from the calling application or the end-user. End-users have no means to short-circuit or bypass these actions. Failure of any of the initialization actions will result in a failure of the module to load for execution.
No setup steps are required to be performed by end-users.
There are no specific management activities required of the CO role to ensure that the module runs securely. However, if any irregular activity is noticed or the module is consistently reporting errors, then Corsec Customer Support should be contacted. The following list provides additional guidance for module administrators:
The following list provides additional policies for non-Administrators:
In the event that power to the module is lost and subsequently restored, the calling application must ensure that any AES-GCM keys used for encryption or decryption are re-distributed.
12. Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
Appendix A. Acronyms and Abbreviations Table 12 provides definitions for the acronyms and abbreviations used in this document. Table 12
Term Definition GPC General-Purpose Computer HMAC (keyed-) Hash Message Authentication Code KAS Key Agreement Scheme KAT Known Answer Test KDF Key Derivation Function KTS Key Transport Scheme KW Key Wrap KWP Key Wrap with Padding MD Message Digest NIST National Institute of Standards and Technology OCB Offset Codebook OE Operational Environment OFB Output Feedback OS Operating System PBKDF Password-Based Key Derivation Function PCT Pairwise Consistency Test PKCS Public Key Cryptography Standard PSS Probabilistic Signature Scheme PUB Publication RC Rivest Cipher RNG Random Number Generator RSA Rivest Shamir Adleman SHA Secure Hash Algorithm SHAKE Secure Hash Algorithm KECCAK SHS Secure Hash Standard SP Special Publication SSC Shared Secret Computation SSP Sensitive Security Parameter TDES Triple Data Encryption Standard TLS Transport Layer Security TOEPP Tested OE’s Physical Perimeter XEX XOR Encrypt XOR XTS XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
Appendix B. Approved Service Indicators This appendix specifies the APIs that are externally accessible and return the Approved security service indicators. Synopsis #include <openssl/service_indicator.h> #include <openssl/ssl.h> int EVP_cipher_get_service_indicator(EVP_CIPHER_CTX *ctx); int DSA_get_service_indicator(DSA * ptr_dsa, DSA_MODES_t mode); int RSA_key_get_service_indicator(RSA * ptr_rsa); int PBKDF_get_service_indicator(); int EVP_Digest_get_service_indicator(EVP_MD_CTX *ctx); int EC_key_get_service_indicator(EC_KEY *ec_key); int CMAC_get_service_indicator(CMAC_CTX *cmac_ctx, CMAC_MODE_t mode); int HMAC_get_service_indicator(HMAC_CTX *ctx); int TLSKDF_get_service_indicator(EVP_PKEY_CTX *tls_ctx); int TLS1_3_kdf_get_service_indicator(EVP_MD *md); int TLS1_3_get_service_indicator(SSL *s); int DRBG_get_service_indicator(RAND_DRBG *drbg); Description These APIs are high-level interfaces that return the Approved security service indicator value based on the parameter(s) passed to them.
int NID = EVP_CIPHER_CTX_nid(ctx); fprintf(stdout,"EVP_des_ede3_ecb (NID %i) encrypt indicator = %i\n", NID, EVP_cipher_get_service_indicator(ctx)); EVP_CIPHER_CTX_cleanup(ctx); //Decrypt ctx = EVP_CIPHER_CTX_new(); EVP_DecryptInit_ex(ctx, cipher, NULL, key, NULL); EVP_CIPHER_CTX_set_key_length(ctx, 24); EVP_DecryptUpdate(ctx, pltmp, &outLen, citmp, 8); // Check the indicator fprintf(stdout,"EVP_des_ede3_ecb (NID %i) decrypt indicator = %i\n", NID, EVP_cipher_get_service_indicator(ctx)); EVP_CIPHER_CTX_cleanup(ctx); EVP_CIPHER_CTX_free(ctx); } CorSSL™ 1.1.1s.006 ©2024 Corsec Security, Inc.
Prepared by: Corsec Security, Inc.
Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com