| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/29/2029 |
| Caveat | When operated in approved mode. No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | Sunhillo Corporation |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 1 |
| Cryptographic Module Interfaces | 1 |
| Roles, Services, and Authentication | 1 |
| Software/Firmware Security | 1 |
| Operational Environment | 1 |
| Physical Security | N/A |
| Non-Invasive Security | N/A |
| Sensitive Security Parameter Management | 1 |
| Self-Tests | 1 |
| Life-Cycle Assurance | 1 |
| Mitigation of Other Attacks | N/A |
flowchart LR
%% Deterministic review-risk graph for Sunhillo Cryptographic Module
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C3,C5,C6 clue;
class I3,I5,I6 infer;
class R3,R5,R6 risk;
class E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Sunhillo Cryptographic Module
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C3 clueHigh;
class C5,C6 clueLow;Sunhillo Corporation Sunhillo Cryptographic Module Software Version: 1.1.1s.006 FIPS Security Level: 1 Document Version: 0.2 Prepared for: Prepared by: Sunhillo Corporation
West Berlin, NJ 08091 United States of America Corsec Security, Inc.
Fairfax, VA 22033 United States of America Phone: +1 856 767 7686 https://www.sunhillo.com/ Phone: +1 703 267 6050 www.corsec.com
March 28, 2025 Abstract This is a non-proprietary Cryptographic Module Security Policy for the Sunhillo Cryptographic Module (software version: 1.1.1s.006) from Sunhillo Corporation (Sunhillo). This Security Policy describes how the Sunhillo Cryptographic Module meets the security requirements of Federal Information Processing Standards (FIPS) Publication 140-3, which details the U.S. and Canadian government requirements for cryptographic modules. More information about the FIPS 140-3 standard and validation program is available on the Cryptographic Module Validation Program (CMVP) website, which is maintained by the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). This document also describes how to run the module in a secure Approved mode of operation. This policy was prepared as part of the Level 1 FIPS 140-3 validation of the module. The Sunhillo Cryptographic Module is referred to in this document as “Sunhillo Cryptographic Module” or “module”. References This document deals only with operations and capabilities of the module in the technical terms of a FIPS 140-3 cryptographic module security policy. More information is available on the module from the following sources:
March 28, 2025 Table of Contents 1. 2. 2.1 2.2 2.3 2.4 3. 4. 4.1 4.2 4.3 5. 6. 7. 8. 9. 9.1 9.2 9.3 9.4 9.5
Appendix A. Appendix B. Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
March 28, 2025 List of Tables List of Figures Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic Module Specification | 1 |
| 3 | 3 | Cryptographic Module Interfaces | 1 |
| 4 | 4 | Roles, Services, and Authentication | 1 |
| 5 | 5 | Software/Firmware Security | 1 |
| 6 | 6 | Operational Environment | 1 |
| 7 | 7 | Physical Security | N/A |
| 8 | 8 | Non-Invasive Security | N/A |
| 9 | 9 | Sensitive Security Parameter Management | 1 |
| 10 | 10 | Self-Tests | 1 |
| 11 | 11 | Life-Cycle Assurance | 1 |
| 12 | 12 | Mitigation of Other Attacks | N/A |
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
| Name | Operating System | Hardware Platform | Processor | Paa Pai | # |
|---|---|---|---|---|---|
| 1 | Debian 9 | Dell PowerEdge R440 | Intel® Xeon Silver 4214R | With (AES-NI) | 1 |
| 2 | Debian 9 | Dell PowerEdge R440 | Intel® Xeon Silver 4214R | Without | 2 |
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
| Name | CAVP Cert | Mode Method | Key Size | Use Function |
|---|---|---|---|---|
| AES FIPS PUB5 197 NIST SP 800-38A | A4978 | CBC6, CFB17, CFB8, CFB128, CTR8, ECB9, OFB10 | 128, 192, 256 | Encryption/decryption |
| AES NIST SP 800-38B | A4978 | CMAC11 | 128, 192, 256 | MAC generation/verification |
| AES NIST SP 800-38C | A4978 | CCM12 | 128, 192, 256 | Encryption/decryption |
| AES NIST SP 800-38D | A4978 | GCM13 (internal IV) | 128, 192, 256 | Encryption/decryption |
| AES NIST SP 800-38D | A4978 | GMAC14 | 128, 192, 256 | MAC eneration/verification |
| AES NIST SP 800-38E | A4978 | XTS15,16,17 | 128, 256 | Encryption/decryption |
| AES NIST SP 800-38F | A4978 | KW18, KWP19 | 128, 192, 256 | Encryption/decryption |
| CKG20 NIST SP 800-133rev2 | Vendor Affirmed | Cryptographic key generation | ||
| CVL21 NIST SP 800-135rev1 | A4978 | KDF (SSH, TLS22 v1.0/1.1, v1.2) | Key derivation No parts of the SSH or TLS protocols, other than the KDFs, have been tested by the CAVP and CMVP. | |
| CVL RFC23 7627 | A4978 | KDF (TLS v1.2) | Key derivation No part of the TLS v1.2 protocol, other than the KDF, has been tested by the CAVP and CMVP. | |
| CVL RFC 8446 | A4979 | KDF (TLS v1.3) | Key derivation No part of the TLS v1.3 protocol, other than the KDF, has been tested by the CAVP and CMVP. | |
| DRBG24 NIST SP 800-90Arev1 | A4978 | Counter-based | 128, 192, 256-bit AES-CTR | Deterministic random bit generation |
| DSA25 FIPS PUB 186-4 | A4978 | KeyGen | 2048/224, 2048/256, 3072/256 | Key pair generation |
| PQGGen | PQGGen | 2048/224, 2048/256, 3072/256 (SHA2-224, SHA2- 256, SHA2-384, SHA2-512) | Domain parameter generation | |
| PQGVer | PQGVer | 2048/224, 2048/256, 3072/256 (SHA2-224, SHA2- 256, SHA2-384, SHA2-512) | Domain parameter verification | |
| SigGen | SigGen | 2048/224, 2048/256, 3072/256 (SHA2-224, SHA2- 256, SHA2-384, SHA2-512) | Digital signature generation | |
| SigVer | SigVer | 2048/224, 2048/256, 3072/256 (SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2- 512) | Digital signature verification | |
| ECDSA26 FIPS PUB 186-4 | A4978 | KeyGen Secret generation mode: Testing candidates | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 | Key pair generation |
| KeyVer | KeyVer | B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 | Public key validation | |
| SigGen | SigGen | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 (SHA2-224, SHA2-256, SHA2- 384, SHA2-512) | Digital signature generation | |
| SigVer | SigVer | B-163, B-233, B-283, B-409, B-571, K-163, K-233, K-283, K-409, K-571, P-192, P-224, P-256, P-384, P-521 (SHA-1, SHA2-224, SHA2-256, SHA2- 384, SHA2-512) | Digital signature verification | |
| HMAC FIPS PUB 198-1 | A4978 | SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2- 512, SHA3-224, SHA3- 256, SHA3-384, SHA3- 512 | 112 (minimum) | Message authentication |
| KAS-ECC-SSC27 NIST SP 800-56Arev3 | A4978 | ephemeralUnified | B-233, B-283, B-409, B-571, K-233, K-283, K-409, K-571, P-224, P-256, P-384, P-521 | Shared secret computation |
| KAS-FFC-SSC28 NIST SP 800-56Arev3 | A4978 | dhEphem | 2048/224 (FB), 2048/256 (FC) | |
| KDA29 NIST SP 800-56Crev2 | A4978 | HKDF | SHA2-224, SHA2-256, SHA2- 384, SHA2-512, SHA2- 512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3- 384, SHA3-512) | Key derivation |
| KTS30 NIST SP 800-38C | A4978 | AES-CCM | 128, 192, 256 | Key wrap/unwrap (authenticated encryption)31 Key establishment methodology provides between 128 and 256 bits of encryption strength |
| KTS NIST SP 800-38D | A4978 | AES-GCM | 128, 192, 256 | Key wrap/unwrap (authenticated encryption)32 Key establishment methodology provides between 128 and 256 bits of encryption strength |
| KTS NIST SP 800-38F | A4978 | AES-KW, AES-KWP | 128, 192, 256 | Key wrap/unwrap Key establishment methodology provides between 128 and 256 bits of encryption strength |
| KTS FIPS PUB 197 NIST SP 800-38B | A4978 | AES-CMAC | 128, 192, 256 | Key wrap/unwrap (encryption with message authentication)33 Key establishment methodology provides between 128 and 256 bits of encryption strength |
| KTS FIPS PUB 197 FIPS PUB 198-1 | A4978 | AES-ECB with HMAC | 128, 192, 256 | Key wrap/unwrap (encryption with message authentication)34 Key establishment methodology provides between 128 and 256 bits of encryption strength |
| PBKDF235 NIST SP 800-132 | A4978 | Section 5.4, option 1a | SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA3- 224, SHA3-256, SHA3-384, SHA3-512 | Password-based key derivation |
| RSA36 FIPS PUB 186-4, Appendix B.3.3 | A4978 | Key generation mode: B.3.3 | 2048, 3072, 4096 | Key pair generation |
| RSA FIPS PUB 186-4 | A4978 | X9.31 | 2048, 3072, 4096 (SHA2-256, SHA2-384, SHA2-512) | Digital signature generation |
| 1024, 2048, 3072, 4096 (SHA-1, SHA2-256, SHA2- 384, SHA2-512) | 1024, 2048, 3072, 4096 (SHA-1, SHA2-256, SHA2- 384, SHA2-512) | Digital signature verification | ||
| PKCS#1 v1.5 | PKCS#1 v1.5 | 2048, 3072, 4096 (SHA2-224, SHA2-256, SHA2-384, SHA2- 512) | Digital signature generation | |
| 1024, 2048, 3072, 4096 (SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512) | 1024, 2048, 3072, 4096 (SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512) | Digital signature verification | ||
| PSS37 | PSS37 | 2048, 3072, 4096 (SHA2-224, SHA2-256, SHA2-384, SHA2- 512) | Digital signature generation | |
| 1024, 2048, 3072, 4096 (SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512) | 1024, 2048, 3072, 4096 (SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2-512) | Digital signature verification | ||
| SHA-3 FIPS PUB 202 | A4978 | SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE38-128, SHAKE-256 | Message digest | |
| SHS39 FIPS PUB 180-4 | A4978 | SHA-1, SHA2-224, SHA2- 256, SHA2-384, SHA2- 512 | Message digest | |
| Triple-DES NIST SP 800-67 NIST SP 800-38A | A4978 | CBC, CFB1, CFB8, CFB64, ECB, OFB | 168 | Decryption |
| Triple-DES NIST SP 800-67 NIST SP 800-38B | A4978 | CMAC | 112, 168 | MAC verification |
March 28, 2025 Table 3
4 This table includes vendor-affirmed algorithms that are approved but CAVP testing is not yet available.
ECB
GCM
XTS
TLS
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
SHA-1, SHA2-224, SHA2256, SHA2-384, SHA2512, SHA3-224, SHA3256, SHA3-384, SHA3512 March 28, 2025
27 KAS-ECC-SSC
KAS-FFC-SSC
31 Per FIPS 140-3 Implementation Guidance D.G, AES-CCM is an Approved key transport technique.
32 Per FIPS 140-3 Implementation Guidance D.G, AES-GCM is an Approved key transport technique.
Per FIPS 140-3 Implementation Guidance D.G, AES with CMAC is an Approved key transport technique.
34 Per FIPS 140-3 Implementation Guidance D.G, AES (in any Approved mode) with HMAC is an Approved key transport technique.
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
B.3.3 March 28, 2025 The vendor affirms the following cryptographic security methods:
SHAKE
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
| Name | Use Function | Use / Function |
|---|---|---|
| AES | Cert. A4978; key unwrapping; Per IG D.G. | Symmetric key unwrapping |
| RSA | Cert. A4978; key unencapsulation: Per IG D.G. | Asymmetric key unencapsulation |
| SHA-1 | Cert. A4978; secure hashing | Digital signature generation in TLS v1.0/1.140 |
| Triple-DES | Cert. A4978; key unwrapping; Per IG D.G. | Symmetric key unwrapping |
| AES-GCM (non-compliant when used with external IV) | Authenticated encryption/decryption | |
| AES-OCB41 | Authenticated encryption/decryption | |
| ANSI X9.31 RNG (with 128-bit AES core) | Random number generation | |
| ARIA | Encryption/decryption | |
| Blake2 | Encryption/decryption | |
| Blowfish | Encryption/decryption | |
| Camellia | Encryption/decryption | |
| CAST, CAST5 | Encryption/decryption | |
| ChaCha20 | Encryption/decryption | |
| DES | Encryption/decryption | |
| DH (non-compliant with key sizes below 2048 bits) | Key agreement |
| Name | Use Function | Use / Function |
|---|---|---|
| AES | Cert. A4978; key unwrapping; Per IG D.G. | Symmetric key unwrapping |
| RSA | Cert. A4978; key unencapsulation: Per IG D.G. | Asymmetric key unencapsulation |
| SHA-1 | Cert. A4978; secure hashing | Digital signature generation in TLS v1.0/1.140 |
| Triple-DES | Cert. A4978; key unwrapping; Per IG D.G. | Symmetric key unwrapping |
| AES-GCM (non-compliant when used with external IV) | Authenticated encryption/decryption | |
| AES-OCB41 | Authenticated encryption/decryption | |
| ANSI X9.31 RNG (with 128-bit AES core) | Random number generation | |
| ARIA | Encryption/decryption | |
| Blake2 | Encryption/decryption | |
| Blowfish | Encryption/decryption | |
| Camellia | Encryption/decryption | |
| CAST, CAST5 | Encryption/decryption | |
| ChaCha20 | Encryption/decryption | |
| DES | Encryption/decryption | |
| DH (non-compliant with key sizes below 2048 bits) | Key agreement | |
| DSA (non-compliant) | Digital signature generation | |
| ECDSA (non-compliant) | Digital signature generation | |
| RSA (non-compliant when used with SHA-1 outside the TLS protocol) | Digital signature generation | |
| DSA (non-compliant with key sizes below the minimums Approved for Approved mode) | Key pair generation, digital signature verification | |
| ECDH (non-compliant with curves P-192, K-163, B- 163, and non-NIST curves) | Key agreement | |
| ECDSA (non-compliant with curves P-192, K-163, B- 163, and non-NIST curves) | Key pair generation, digital signature verification | |
| EdDSA42 | Key pair generation, digital signature generation, digital signature verification | |
| IDEA | Encryption/decryption | |
| MD2, MD4, MD5 | Message digest | |
| Poly1305 | Message authentication code | |
| RC243, RC4, RC5 | Encryption/decryption | |
| RIPEMD | Message digest | |
| RMD160 | Message digest | |
| RSA (non-compliant with non-approved/untested key sizes, and functions) | Key pair generation; digital signature generation; digital signature verification; key transport | |
| SEED | Encryption/decryption | |
| SM2, SM3 | Message digest | |
| SM4 | Encryption/decryption | |
| Triple-DES (non-compliant) | Encryption; MAC generation; key wrap | |
| Whirlpool | Message digest |
March 28, 2025 seed is an unmodified output from the DRBG. The cryptographic module invokes a GET command to obtain entropy for random number generation (the module requests 256 bits of entropy from the calling application per request), and then passively receives entropy from the calling application while having no knowledge of the entropy source and exercising no control over the amount or the quality of the obtained entropy. The calling application and its entropy sources are located within the operational environment inside the module’s physical perimeter but outside the cryptographic boundary. Thus, there is no assurance of the minimum strength of the generated keys. The module implements the non-Approved but allowed algorithms shown in Table 4 below. Table 4
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
2.3 March 28, 2025 Cryptographic Boundary As a software cryptographic module, the module has no physical components. The physical perimeter of the cryptographic module is defined by each host platform on which the module is installed. Figure 1 below illustrates a block diagram of a typical GPC and the module’s physical perimeter. EdDSA
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
Hardware Management March 28, 2025 DVD Network Interface RAM HDD Clock Generator SCSI/SATA Controller LEDs/LCD Serial CPU I/O Hub Audio Cache Power Interface PCI/PCIe Slots USB BIOS Graphics Controller PCI/PCIe Slots External Power Supply KEY: Plaintext Data Encrypted Data Control Input Status Output Physical Perimeter BIOS
March 28, 2025 libssl libssl.hmac libcrypto libcrypto.hmac Calling Application KEY: Cryptographic Boundary Physical Perimeter Operating System Data Input Data Output Control Input Control Output Status Output System Calls CPU Memory Storage Ports Host Device Figure 2
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| Physical data input port(s) of the tested platforms | Physical data input port(s) of the tested platforms | Data Input • API input arguments that provide input data for processing | • Data to be encrypted, decrypted, signed, verified, or hashed • Keys to be used in cryptographic services • Random seed material for the module’s DRBG • Keying material to be used as input to key establishment services |
| Physical data output port(s) of the tested platforms | Physical data output port(s) of the tested platforms | Data Output • API output arguments that return generated or processed data back to the caller | • Data that has been encrypted, decrypted, or verified • Digital signatures • Hashes • Random values generated by the module’s DRBG • Keys established using module’s key establishment methods |
| Physical control input port(s) of the tested platforms | Physical control input port(s) of the tested platforms | Control Input • API input arguments that are used to initialize and control the operation of the module | • API commands invoking cryptographic services • Modes, key sizes, etc. used with cryptographic services |
| Physical status output port(s) of the tested platforms | Physical status output port(s) of the tested platforms | Status Output • API call return values | • Status information regarding the module • Status information regarding the invoked service/operation |
| Name | Roles | Input | Output |
|---|---|---|---|
| Show Status | CO | API call parameters | Current operational status |
| Perform self-tests on-demand | CO | Re-instantiate module; API call parameters | Status |
| Zeroize | CO | Restart calling application; reboot or power-cycle host platform | None |
| Show versioning information | CO | API call parameters | Module name, version |
| Perform symmetric encryption | User | API call parameters, key, plaintext | Status, ciphertext |
| Perform symmetric decryption | User | API call parameters, key, ciphertext | Status, plaintext |
| Generate symmetric digest | User | API call parameters, key, plaintext | Status, digest |
| Verify symmetric digest | User | API call parameters, digest | Status |
| Perform authenticated symmetric encryption | User | API call parameters, key, plaintext | Status, ciphertext |
| Perform authenticated symmetric decryption | User | API call parameters, key, ciphertext | Status, plaintext |
| Generate random number | User | API call parameters | Status, random bits |
| Perform keyed hash operations | User | API call parameters, key, message | Status, MAC44 |
| Perform hash operation | User | API call parameters, message | Status, hash |
| Generate DSA domain parameters | User | API call parameters | Status, domain parameters |
| Verify DSA domain parameters | User | API call parameters | Status, domain parameters |
| Generate asymmetric key pair | User | API call parameters | Status, key pair |
| Verify ECDSA public key | User | API call parameters, key | Status |
| Generate digital signature | User | API call parameters, key, message | Status, signature |
| Verify digital signature | User | API call parameters, key, signature, message | Status |
| Perform key wrap | User | API call parameters, encryption key, key | Status, encrypted key |
| Perform key unwrap | User | API call parameters, decryption key, encrypted key | Status, decrypted key |
| Compute shared secret | User | API call parameters | Status, shared secret |
| Derive SSH keys | User | API call parameters, SSH master secret | Status, SSH keys |
| Derive TLS keys | User | API call parameters, TLS pre- master secret | Status, TLS keys |
| Derive key via HKDF | User | API call parameters | Status, key |
| Derive key via PBKDF2 | User | API call parameters, passphrase | Status, key |
| Generate symmetric digest (CMAC) | User | API call parameters, key, message | Status, MAC |
4. March 28, 2025 Roles, Services, and Authentication The sections below describe the module’s authorized roles, services, and operator authentication methods. 4.1 Authorized Roles The module supports a Crypto Officer (CO) that authorized operators can assume. The CO role performs cryptographic initialization or management functions and general security services. The module also supports the following role(s):
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
4.2 March 28, 2025 Authentication Methods The module does not support authentication mechanisms; roles are implicitly selected based on the service invoked. Refer to Table 7 above for a listing of the services associated with each authorized role. 4.3 Services Descriptions of the services available to the authorized roles are provided in Table 8 below. This module is a software library that provides cryptographic functionality to calling applications. As such, the security functions provided via the module’s APIs are considered security services, and the module provides indicators for Approved security services as required by FIPS 140-3 IG 2.4.C. When invoking an API for an offered security service, the calling application provides inputs (keys, key sizes, modes, etc.) that the module combines into a single, internal structure, or “context”, that drives the execution of the cryptographic service. Each security service invocation will determine if the invoked service is an Approved security service. Upon completion of the service, that context is first updated with the results of the service as well as the Approved security service indicator, and then returned to the calling application. To access the indicator value from the context, the calling application must pass the resultant context to the indicator API associated with that security function (note the indicator check must be performed before any context cleanup is performed). The indicator API will return “1” to indicate the usage of an Approved service. Indicators for services providing non-Approved security functions (as well as for services not requiring an indicator) will have a value other than “1”, ensuring that the indicators for Approved services are unambiguous. Additional details on the APIs used for the Approved service indicators are provided in Appendix B below. Please note that the keys and Sensitive Security Parameters (SSPs) listed in the table indicate the type of access required using the following notation:
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Show Status | Return mode status | CO | None | None | N/A | N/A |
| Perform self- tests on- demand | Perform pre- operational self- tests | CO | None | None | N/A | API return value |
| Zeroize | Zeroize and de- allocate memory containing sensitive data | CO | All SSPs | None | All SSPs – Z | N/A |
| Show versioning information | Return module versioning information | CO | None | None | N/A | N/A |
| Perform symmetric encryption | Encrypt plaintext data | User | AES key XTS-AES key | AES (CBC, CFB1, CFB8, CFB128, CTR, ECB, OFB, KW, KWP) (Cert. A4978) XTS-AES (Cert. A4978) | AES key – WE XTS-AES key – WE | API return value |
| Perform symmetric decryption | Decrypt ciphertext data | User | AES key XTS-AES key Triple-DES key | AES (CBC, CFB1, CFB8, CFB128, CTR, ECB, OFB, KW, KWP) (Cert. A4978) XTS-AES (Cert. A4978) Triple-DES (CBC, CFB1, CFB8, CFB64, ECB, OFB) (Cert. A4978) | AES key – WE XTS-AES key – WE Triple-DES key – WE | API return value |
| Generate symmetric digest | Generate symmetric digest | User | AES CMAC key AES GMAC key | AES (CMAC )(Cert. A4978) AES (GMAC) (Cert. A4978) | AES CMAC key – WE AES GMAC key – WE | API return value |
| Verify symmetric digest | Verify symmetric digest | User | AES CMAC key AES GMAC key Triple-DES CMAC key | AES (CMAC) (Cert. A4978) AES (GMAC) (Cert. A4978) Triple-DES CMAC (Cert. A4978) | AES CMAC key – WE AES GMAC key – WE Triple-DES CMAC key – WE | API return value |
| Perform authenticated symmetric encryption | Encrypt plaintext using supplied AES GCM key and IV | User | AES GCM key AES GCM IV | AES (GCM) (Cert. A4978) | AES GCM key – WE AES GCM IV – WE | API return value |
| Perform authenticated symmetric decryption | Decrypt ciphertext using supplied AES GCM key and IV | User | AES GCM key AES GCM IV | AES (GCM) (Cert. A4978) | AES GCM key – WE AES GCM IV – WE | API return value |
| Generate random number | Return random bits to the calling application | User | DRBG entropy input DRBG seed DRBG ‘V’ value DRBG ‘Key’ value | DRBG (Cert. A4978) | DRBG entropy input – WE DRBG seed – GE DRBG ‘V’ value – GE DRBG ‘Key’ value – GE | API return value |
| Perform keyed hash operations | Compute a message authentication code | User | HMAC key | HMAC (Cert. A4978) SHA (Cert. A4978) | HMAC key – WE | API return value |
| Perform hash operation | Compute a message digest | User | None | SHA (Cert. A4978) | N/A | API return value |
| Generate DSA domain parameters | Generate DSA domain parameters | User | None | DSA (Cert. A4978) | N/A | API return value |
| Verify DSA domain parameters | Verify DSA domain parameters | User | None | DSA (Cert. A4978) | N/A | API return value |
| Generate asymmetric key pair | Generate a public/private key pair | User | DSA public key DSA private key ECDSA public key ECDSA private key RSA public key RSA private key | DSA (Cert. A4978) ECDSA (Cert. A4978) RSA (Cert. A4978) | DSA public key – GR DSA private key – GR ECDSA public key – GR ECDSA private key – GR RSA public key – GR RSA private key – GR | API return value |
| Verify ECDSA public key | Verify an ECDSA public key | User | ECDSA public key | ECDSA (Cert. A4978) | ECDSA public key – W | API return value |
| Generate digital signature | Generate a digital signature | User | RSA private key | RSA (Cert. A4978) | RSA private key – WE | API return value |
| Verify digital signature | Verify a digital signature | User | ECDSA public key RSA public key | ECDSA (Cert. A4978) RSA (Cert. A4978) | ECDSA public key – WE RSA public key – WE | API return value |
| Perform key wrap | Perform key wrap | User | AES key AES CMAC key AES GMAC key AES GCM key AES GCM IV HMAC key | KTS (Cert. A4978) | AES key – WE AES CMAC key – WE AES GMAC key – WE AES GCM key – WE AES GCM IV – WE HMAC key – WE | API return value |
| Perform key unwrap | Perform key unwrap | User | AES key AES CMAC key AES GMAC key AES GCM key AES GCM IV HMAC key Triple-DES key | KTS (Cert. A4978) | AES key – WE AES CMAC key – WE AES GMAC key – WE AES GCM key – WE AES GCM IV – WE HMAC key – WE Triple-DES key – WE | API return value |
| Compute shared secret | Compute DH/ECDH shared secret suitable for use as input to an internal TLS KDF | User | DH public component DH private component ECDH public component ECDH private component TLS pre-master secret | KAS-ECC-SSC (Cert. A4978) KAS-FFC-SSC (Cert. A4978) | DH public component – WE DH private component – WE ECDH public component – WE ECDH private component – WE TLS pre-master secret – GE | API return value |
| Derive SSH keys | Derive SSH session and integrity keys | User | SSH master secret AES key HMAC key | KDF (SSH) (Cert. A4978) | SSH master secret – WE AES key – GR HMAC key – GR | API return value |
| Derive TLS keys | Derive TLS session and integrity keys | User | TLS pre-master secret TLS master secret AES key AES GCM key AES GCM IV HMAC key | KDF (TLS 1.0/1.1) (Cert. A4978) KDF (TLS 1.2) (Cert. A4978) KDF (TLS 1.3) (Cert. A4979) | TLS pre-master secret – WE TLS master secret – GE AES key – GR AES GCM key – GR AES GCM IV – GR HMAC key – GR | API return value |
| Derive key via HKDF | Derive key from HKDF | User | AES key | HKDF (Cert. A4978) | AES key – GR | API return value |
| Derive key via PBKDF2 | Derive key from PBKDF2 | User | Passphrase AES key Triple-DES key | PBKDF (Cert. A4978) | Passphrase – WE AES key – GR Triple-DES key – GR | API return value |
| Perform data encryption (non-compliant) | Perform symmetric data encryption | User | ARIA, Blake2, Blowfish, Camellia, CAST, CAST5, ChaCha20, DES, IDEA, RC2, RC4, RC5, SEED, SM4, Triple- DES (non-compliant) | API return value | ||
| Perform data decryption (non-compliant) | Perform symmetric data decryption | User | ARIA, Blake2, Blowfish, Camellia, CAST, CAST5, ChaCha20, DES, IDEA, RC2, RC4, RC5, SEED, SM4 | API return value |
| Name | Description | Roles | Csps Accessed | Approved Functions | Access | Indicator |
|---|---|---|---|---|---|---|
| Verify ECDSA public key | Verify an ECDSA public key | User | ECDSA public key | ECDSA (Cert. A4978) | ECDSA public key – W | API return value |
| Generate digital signature | Generate a digital signature | User | RSA private key | RSA (Cert. A4978) | RSA private key – WE | API return value |
| Verify digital signature | Verify a digital signature | User | ECDSA public key RSA public key | ECDSA (Cert. A4978) RSA (Cert. A4978) | ECDSA public key – WE RSA public key – WE | API return value |
| Perform key wrap | Perform key wrap | User | AES key AES CMAC key AES GMAC key AES GCM key AES GCM IV HMAC key | KTS (Cert. A4978) | AES key – WE AES CMAC key – WE AES GMAC key – WE AES GCM key – WE AES GCM IV – WE HMAC key – WE | API return value |
| Perform key unwrap | Perform key unwrap | User | AES key AES CMAC key AES GMAC key AES GCM key AES GCM IV HMAC key Triple-DES key | KTS (Cert. A4978) | AES key – WE AES CMAC key – WE AES GMAC key – WE AES GCM key – WE AES GCM IV – WE HMAC key – WE Triple-DES key – WE | API return value |
| Compute shared secret | Compute DH/ECDH shared secret suitable for use as input to an internal TLS KDF | User | DH public component DH private component ECDH public component ECDH private component TLS pre-master secret | KAS-ECC-SSC (Cert. A4978) KAS-FFC-SSC (Cert. A4978) | DH public component – WE DH private component – WE ECDH public component – WE ECDH private component – WE TLS pre-master secret – GE | API return value |
| Derive SSH keys | Derive SSH session and integrity keys | User | SSH master secret AES key HMAC key | KDF (SSH) (Cert. A4978) | SSH master secret – WE AES key – GR HMAC key – GR | API return value |
| Derive TLS keys | Derive TLS session and integrity keys | User | TLS pre-master secret TLS master secret AES key AES GCM key AES GCM IV HMAC key | KDF (TLS 1.0/1.1) (Cert. A4978) KDF (TLS 1.2) (Cert. A4978) KDF (TLS 1.3) (Cert. A4979) | TLS pre-master secret – WE TLS master secret – GE AES key – GR AES GCM key – GR AES GCM IV – GR HMAC key – GR | API return value |
| Derive key via HKDF | Derive key from HKDF | User | AES key | HKDF (Cert. A4978) | AES key – GR | API return value |
| Derive key via PBKDF2 | Derive key from PBKDF2 | User | Passphrase AES key Triple-DES key | PBKDF (Cert. A4978) | Passphrase – WE AES key – GR Triple-DES key – GR | API return value |
| Perform data encryption (non-compliant) | Perform symmetric data encryption | User | ARIA, Blake2, Blowfish, Camellia, CAST, CAST5, ChaCha20, DES, IDEA, RC2, RC4, RC5, SEED, SM4, Triple- DES (non-compliant) | API return value | ||
| Perform data decryption (non-compliant) | Perform symmetric data decryption | User | ARIA, Blake2, Blowfish, Camellia, CAST, CAST5, ChaCha20, DES, IDEA, RC2, RC4, RC5, SEED, SM4 | API return value | ||
| Perform MAC operations (non-compliant) | Perform message authentication operations | User | Poly1305, Triple-DES/CMAC (non-compliant for MAC generation) | API return value | ||
| Perform hash operation (non- compliant) | Perform hash operation | User | MD2, MD4, MD5, RIPEMD, RMD160, SM2, SM3, Whirlpool | API return value | ||
| Perform digital signature functions (non-compliant) | Perform digital signature functions | User | DSA (non-compliant), ECDSA (non-compliant), EdDSA, RSA (non-compliant) | API return value | ||
| Perform key encapsulation (non-compliant) | Perform key encapsulation functions | User | RSA (non-compliant) | API return value | ||
| Perform key un-encapsulation (non-compliant) | Perform key un-encapsulation functions | User | RSA (non-compliant) | API return value | ||
| Perform key wrap (non- compliant) | Perform key wrap functions | User | Triple-DES/CMAC (non- compliant) | API return value | ||
| Perform authenticated encryption/decryption (non- compliant) | Perform authenticated encryption/decryption | User | AES-OCB | API return value | ||
| Perform random number generation (non-compliant) | Perform random number generation | User | ANSI X9.31 RNG (with 128-bit AES core) | API return value | ||
| Perform key pair generation (non-compliant) | Perform key pair generation | User | DSA (non-compliant), ECDSA (non-compliant), EdDSA, RSA (non-compliant) | API return value |
March 28, 2025 *Per FIPS 140-3 Implementation Guidance 2.4.C, the Show Status, Zeroize, and Show Versioning Information services do not require an Approved security Table 9 below lists the non-approved services available to module operators. Table 9
March 28, 2025 Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
5. March 28, 2025 Software/Firmware Security All software components within the cryptographic boundary are verified using an Approved integrity technique implemented within the cryptographic module itself. The module implements independent HMAC SHA2-256 digest checks to test the integrity of each library file ; failure of the integrity check on either library file will cause the module to enter a critical error state. The module’s integrity check is performed automatically at module instantiation (i.e., when the module is loaded into memory for execution) without action from the module operator. The CO can initiate the pre-operational tests on demand by re-instantiating the module or issuing the FIPS_selftest() API command. The Sunhillo Cryptographic Module is not delivered to end-users as a standalone offering. Rather, it is a pre-built integrated component of Sunhillo’s SureLine OS and SureSentry device. Sunhillo does not provide end-users with any mechanisms to directly access the module, its source code, its APIs, or any information sent to/from the module. Thus, end-users have no ability to independently load the module onto target platforms. No configuration steps are required to be performed by end-users, and no end-user action is required to initialize the module for operation. Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
6. March 28, 2025 Operational Environment The Sunhillo Cryptographic Module comprises a software cryptographic library that executes in a modifiable operational environment. The cryptographic module has control over its own SSPs. The process and memory management functionality of the host device’s OS prevents unauthorized access to plaintext private and secret keys, intermediate key generation values and other SSPs by external processes during module execution. The module only allows access to SSPs through its well-defined API. The operational environments provide the capability to separate individual application processes from each other by preventing uncontrolled access to CSPs and uncontrolled modifications of SSPs regardless of whether this data is in the process memory or stored on persistent storage within the operational environment. Processes that are spawned by the module are owned by the module and are not owned by external processes/operators. Please refer to section 2.1 of this document for a list/description of the applicable operational environments. Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
7. March 28, 2025 Physical Security The cryptographic module is a software module and does not include physical security mechanisms. Therefore, per ISO/IEC 19790:2012(E) section 7.7.1, requirements for physical security are not applicable. Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
8. March 28, 2025 Non-Invasive Security This section is not applicable. There are currently no approved non-invasive mitigation techniques referenced in ISO/IEC 19790:2021 Annex F. Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
| Name | Strength | Security Function | Generation | Establishment | Storage | Zeroization | Use | Import Export |
|---|---|---|---|---|---|---|---|---|
| AES key (CSP) | Between 128 and 256 bits | AES (CBC, CCM, CFB, CTR, ECB, OFB, KW, KWP modes) (Cert. A4978) KTS (Cert. A4978) | Established via TLS or SSH KDF | Not persistently stored by the module | Unload module; Remove power | Symmetric encryption, decryption | Imported in plaintext via API parameter Never exported | |
| AES GCM key (CSP) | Between 128 and 256 bits | AES (GCM mode) (Cert. A4978) KTS (Cert. A4978) | Established via TLS or SSH KDF | Not persistently stored by the module | Unload module; Remove power | Authenticated symmetric encryption, decryption | Imported in plaintext via API parameter Never exported | |
| XTS-AES key (CSP) | 128 or 256 bits | AES (XTS mode) (Cert. A4978) | Not persistently stored by the module | Unload module; Remove power | Symmetric encryption, decryption | Imported in plaintext via API parameter Never exported | ||
| AES CMAC key (CSP) | Between 128 and 256 bits | AES (CMAC mode) (Cert. A4978) KTS (Cert. A4978) | Not persistently stored by the module | Unload module; Remove power | MAC generation, verification | Imported in plaintext via API parameter Never exported | ||
| AES GMAC key (CSP) | Between 128 and 256 bits | AES (GMAC mode) (Cert. A4978) KTS (Cert. A4978) | Not persistently stored by the module | Unload module; Remove power | MAC generation, verification | Imported in plaintext via API parameter Never exported | ||
| Triple-DES key (CSP) | Triple-DES (CBC, CFB1, CFB8, CFB64, ECB, OFB modes) (Cert. A4978) KTS (Cert. A4978) | Not persistently stored by the module | Unload module; Remove power | Symmetric decryption; key unwrapping | Imported in plaintext via API parameter Never exported | |||
| Triple-DES CMAC key (CSP) | Triple-DES (CMAC mode) (Cert. A4978) | Not persistently stored by the module | Unload module; Remove power | MAC verification | Imported in plaintext via API parameter Never exported | |||
| HMAC key (CSP) | 112 bits (minimum) | HMAC (Cert. A4978) KTS (Cert. A4978) | Established via TLS or SSH KDF | Not persistently stored by the module | Unload module; Remove power | Keyed hash | Imported in plaintext via API parameter Never exported | |
| DSA private key (CSP) | 112 or 128 bits | DSA (Cert. A4978) | Generated via Approved DRBG | Not persistently stored by the module | Unload module; Remove power | Digital signature generation | Imported in plaintext via API parameter Exported in plaintext via API parameter | |
| DSA public key (PSP) | 112 or 128 bits | DSA (Cert. A4978) | Generated via approved DRBG | Not persistently stored by the module | Unload module; Remove power | Digital signature verification | Imported in plaintext via API parameter Exported in plaintext via API parameter | |
| ECDSA private key (CSP) | Between 112 and 256 bits | ECDSA (Cert. A4978) | Generated via approved DRBG | Not persistently stored by the module | Unload module; Remove power | Digital signature generation | Imported in plaintext via API parameter Exported in plaintext via API parameter | |
| ECDSA public key (PSP) | Between 112 and 256 bits | ECDSA (Cert. A4978) | Generated via approved DRBG | Not persistently stored by the module | Unload module; Remove power | Digital signature verification | Imported in plaintext via API parameter Exported in plaintext via API parameter | |
| RSA private key (CSP) | Between 112 and 150 bits | RSA (Cert. A4978) KTS (Cert. A4978) | Generated via approved DRBG | Not persistently stored by the module | Unload module; Remove power | Digital signature generation | Imported in plaintext via API parameter Exported in plaintext via API parameter | |
| RSA public key (PSP) | Between 80 and 150 bits | RSA (Cert. A4978) KTS (Cert. A4978) | Generated via approved DRBG | Not persistently stored by the module | Unload module; Remove power | Digital signature verification | Imported in plaintext via API parameter Exported in plaintext via API parameter | |
| DH private component (CSP) | 112 bits | KAS-SSC-FFC (Cert. A4978) | Generated via approved DRBG | Not persistently stored by the module | Unload module; Remove power | DH shared secret computation | Imported in plaintext via API parameter Exported in plaintext via API parameter | |
| DH public component (PSP) | 112 bits | KAS-SSC-FFC (Cert. A4978) | Generated via approved DRBG | Not persistently stored by the module | Unload module; Remove power | DH shared secret computation | Imported in plaintext via API parameter Exported in plaintext via API parameter | |
| ECDH private component (CSP) | Between 112 and 256 bits | KAS-SSC-ECC (Cert. A4978) | Generated via approved DRBG | Not persistently stored by the module | Unload module; Remove power | ECDH shared secret computation | Imported in plaintext via API parameter Exported in plaintext via API parameter | |
| ECDH public component (PSP) | Between 112 and 256 bits | KAS-SSC-ECC (Cert. A4978) | Generated via approved DRBG | Not persistently stored by the module | Unload module; Remove power | ECDH shared secret computation | Imported in plaintext via API parameter Exported in plaintext via API parameter | |
| Passphrase (PSP) | PBKDF (Cert. A4978) | Not persistently stored by the module | Unload module; Remove power | Input to PBKDF for key derivation | Imported in plaintext via API parameter Never exported | |||
| AES GCM IV (CSP) | AES (GCM mode) (Cert. A4978) | Generated in compliance with the provisions of a peer-to-peer industry standard protocol | Not persistently stored by the module | Unload module; Remove power | Initialization vector for AES GCM | |||
| SSH shared secret (CSP) | KDF (SSH) (Cert. A4978) | Established via ECC/FFC shared secret computation | Not persistently stored by the module | Unload module; Remove power | Derivation of the AES key and HMAC key used for securing SSH connections | Imported in plaintext via API parameter Exported in plaintext via API parameter | ||
| TLS pre-master secret (CSP) | KDF (TLS 1.0/1.1) (Cert. A4978) KDF (TLS 1.2) (Cert. A4978) KDF (TLS 1.3) (Cert. A4979) | Established via ECC/FFC shared secret computation | Not persistently stored by the module | Unload module; Remove power | Derivation of the TLS master secret | Imported in plaintext via API parameter Exported in plaintext via API parameter | ||
| TLS master secret (CSP) | KDF (TLS 1.0/1.1) (Cert. A4978) KDF (TLS 1.2) (Cert. A4978) KDF (TLS 1.3) (Cert. A4979) | Established via TLS KDF (using imported TLS pre-master secret) | Not persistently stored by the module | Unload module; Remove power | Derivation of the AES/AES- GCM key and HMAC key used for securing TLS connections | |||
| DRBG entropy input (CSP) | DRBG (Cert. A4978) | Not persistently stored by the module | Unload module; Remove power | Entropy material for DRBG | Imported in plaintext via API parameter45; Never exported | |||
| DRBG seed (CSP) | DRBG (Cert. A4978) | Generated using nonce along with DRBG entropy input | Not persistently stored by the module | Unload module; Remove power | Seeding material for DRBG | |||
| DRBG ‘V’ value (CSP) | DRBG (Cert. A4978) | Generated | Not persistently stored by the module | Unload module; Remove power | State values for DRBG | |||
| DRBG ‘Key’ value (CSP) | DRBG (Cert. A4978) | Generated | Not persistently stored by the module | Unload module; Remove power | State values for DRBG |
March 28, 2025
March 28, 2025 Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
March 28, 2025 9.2 DRBGs The module implements the following Approved DRBG:
| Name | Key Size | |
|---|---|---|
| Details | Minimum Number | Entropy Source(s) |
| of Bits of Entropy | of Bits of Entropy | |
| 256 bits of seed material are provided to the module’s DRBG by the calling application. The calling application and its entropy sources are outside the module’s cryptographic boundary. The calling application shall use entropy sources that meet the security strength required for the CTR_DRBG as shown in NIST SP 800-90Arev1, Table 3. This entropy shall be supplied by means of a callback function. The callback function must return an error if the minimum entropy strength cannot be met. | 256 | Calling application |
9.3 March 28, 2025 SSP Storage Techniques There is no mechanism within the module’s cryptographic boundary for the persistent storage of SSPs. The module stores DRBG state values for the lifetime of the DRBG instance. The module uses SSPs passed in on the stack by the calling application and does not store these SSPs beyond the lifetime of the API call. 9.4 SSP Zeroization Methods Maintenance, including protection and zeroization, of any keys and CSPs that exist outside the module’s cryptographic boundary are the responsibility of the end-user. For the zeroization of keys in volatile memory, module operators can unload the module from memory or reboot/power-cycle the host device. 9.5 Table 11
March 28, 2025 10. Self-Tests Both pre-operational and conditional self-tests are performed by the module. Pre-operational tests are performed between the time the cryptographic module is instantiated and before the module transitions to the operational state. Conditional self-tests are performed by the module during module operation when certain conditions exist. The following sections list the self-tests performed by the module, their expected error status, and the error resolutions. 10.1 Pre-Operational Self-Tests The module performs the following pre-operational self-test(s):
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
March 28, 2025 To ensure all CASTs are performed prior to the first operational use of the associated algorithm, all CASTs are performed during the module’s initial power-up sequence. The SHA and HMAC KATs are performed prior to the pre-operational software integrity test; all other CASTs are executed after the successful completion of the software integrity test.
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
March 28, 2025 11. Life-Cycle Assurance The sections below describe how to ensure the module is operating in its validated configuration, including the following:
March 28, 2025
March 28, 2025 The module also supports internal IV generation using the module’s Approved DRBG. The IV is at least 96 bits in length per section 8.2.2 of NIST SP 800-38D. Per NIST SP 800-38D and scenario 2 of FIPS 140-3 IG C.H, the DRBG generates outputs such that the (key/IV) pair collision probability is less than 2-32. In the event that power to the module is lost and subsequently restored, the calling application must ensure that any AES-GCM keys used for encryption or decryption are re-distributed.
March 28, 2025 12. Mitigation of Other Attacks This section is not applicable. The module does not claim to mitigate any attacks beyond the FIPS 140-3 Level 1 requirements for this validation. Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
| Name | Term | Definition | |
|---|---|---|---|
| AES | AES | Advanced Encryption Standard | |
| ANSI | ANSI | American National Standards Institute | |
| API | API | Application Programming Interface | |
| CAST | CAST | Cryptographic Algorithm Self-Test | |
| CBC | CBC | Cipher Block Chaining | |
| CCCS | CCCS | Canadian Centre for Cyber Security | |
| CCM | CCM | Counter with | Cipher Block Chaining - Message Authentication Code |
| CFB | CFB | Cipher Feedback | |
| CKG | CKG | Cryptographic Key Generation | |
| CMAC | CMAC | Cipher-Based Message Authentication Code | |
| CMVP | CMVP | Cryptographic Module Validation Program | |
| CO | CO | Cryptographic Officer | |
| CPU | CPU | Central Processing Unit | |
| CTR | CTR | Counter | |
| CVL | CVL | Component Validation List | |
| DEP | DEP | Default Entry Point | |
| DES | DES | Data Encryption Standard | |
| DH | DH | Diffie-Hellman | |
| DRBG | DRBG | Deterministic Random Bit Generator | |
| DSA | DSA | Digital Signature Algorithm | |
| ECB | ECB | Electronic Code Book | |
| ECC | ECC | Elliptic Curve Cryptography | |
| ECC CDH | ECC CDH | Elliptic Curve Cryptography Cofactor Diffie-Hellman | |
| ECDH | ECDH | Elliptic Curve Diffie-Hellman | |
| ECDSA | ECDSA | Elliptic Curve Digital Signature Algorithm | |
| FFC | FFC | Finite Field Cryptography | |
| FIPS | FIPS | Federal Information Processing Standard | |
| GCM | GCM | Galois/Counter Mode | |
| GMAC | GMAC | Galois Message Authentication Code |
March 28, 2025 Appendix A. Acronyms and Abbreviations Table 12 provides definitions for the acronyms and abbreviations used in this document. Table 12
| Name | Term | Definition |
|---|---|---|
| GPC | GPC | General-Purpose Computer |
| HMAC | HMAC | (keyed-) Hash Message Authentication Code |
| KAS | KAS | Key Agreement Scheme |
| KAT | KAT | Known Answer Test |
| KDF | KDF | Key Derivation Function |
| KTS | KTS | Key Transport Scheme |
| KW | KW | Key Wrap |
| KWP | KWP | Key Wrap with Padding |
| MD | MD | Message Digest |
| NIST | NIST | National Institute of Standards and Technology |
| OCB | OCB | Offset Codebook |
| OE | OE | Operational Environment |
| OFB | OFB | Output Feedback |
| OS | OS | Operating System |
| PBKDF | PBKDF | Password-Based Key Derivation Function |
| PCT | PCT | Pairwise Consistency Test |
| PKCS | PKCS | Public Key Cryptography Standard |
| PSS | PSS | Probabilistic Signature Scheme |
| PUB | PUB | Publication |
| RC | RC | Rivest Cipher |
| RNG | RNG | Random Number Generator |
| RSA | RSA | Rivest Shamir Adleman |
| SHA | SHA | Secure Hash Algorithm |
| SHAKE | SHAKE | Secure Hash Algorithm KECCAK |
| SHS | SHS | Secure Hash Standard |
| SP | SP | Special Publication |
| SSC | SSC | Shared Secret Computation |
| TDES | TDES | Triple Data Encryption Standard |
| TLS | TLS | Transport Layer Security |
| TOEPP | TOEPP | Tested OE’s Physical Perimeter |
| XEX | XEX | XOR Encrypt XOR |
| XTS | XTS | XEX-Based Tweaked-Codebook Mode with Ciphertext Stealing |
Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation March 28, 2025
March 28, 2025 Appendix B. Approved Service Indicators This appendix specifies the APIs that are externally accessible and return the Approved security service indicators. Synopsis #include <openssl/service_indicator.h> #include <openssl/ssl.h> int EVP_cipher_get_service_indicator(EVP_CIPHER_CTX *ctx); int DSA_get_service_indicator(DSA * ptr_dsa, DSA_MODES_t mode); int RSA_key_get_service_indicator(RSA * ptr_rsa); int PBKDF_get_service_indicator(); int EVP_Digest_get_service_indicator(EVP_MD_CTX *ctx); int EC_key_get_service_indicator(EC_KEY *ec_key); int CMAC_get_service_indicator(CMAC_CTX *cmac_ctx, CMAC_MODE_t mode); int HMAC_get_service_indicator(HMAC_CTX *ctx); int TLSKDF_get_service_indicator(EVP_PKEY_CTX *tls_ctx); int TLS1_3_kdf_get_service_indicator(EVP_MD *md); int TLS1_3_get_service_indicator(SSL *s); int DRBG_get_service_indicator(RAND_DRBG *drbg); Description These APIs are high-level interfaces that return the Approved security service indicator value based on the parameter(s) passed to them.
March 28, 2025
March 28, 2025 int NID = EVP_CIPHER_CTX_nid(ctx); fprintf(stdout,"EVP_des_ede3_ecb (NID %i) encrypt indicator = %i\n", NID, EVP_cipher_get_service_indicator(ctx)); EVP_CIPHER_CTX_cleanup(ctx); //Decrypt ctx = EVP_CIPHER_CTX_new(); EVP_DecryptInit_ex(ctx, cipher, NULL, key, NULL); EVP_CIPHER_CTX_set_key_length(ctx, 24); EVP_DecryptUpdate(ctx, pltmp, &outLen, citmp, 8); // Check the indicator fprintf(stdout,"EVP_des_ede3_ecb (NID %i) decrypt indicator = %i\n", NID, EVP_cipher_get_service_indicator(ctx)); EVP_CIPHER_CTX_cleanup(ctx); EVP_CIPHER_CTX_free(ctx); } Sunhillo Cryptographic Module 1.1.1s.006 ©2025 Sunhillo Corporation
Prepared by: Corsec Security, Inc.
Fairfax, VA 22033 United States of America Phone: +1 703 267 6050 Email: info@corsec.com http://www.corsec.com